ipfw managing rules - best practice?
wishmaster
artemrts at ukr.net
Wed Sep 5 10:12:10 UTC 2018
Hi,
here is my approach.
I have one ipfw.conf and ipfw.conf.last files. And the script wich does diff of this files and changes only that rule(s) wich has been changed.
Therefore no need to reload service ipfw.
--- Original message ---
From: "Ole" <ole at free.de>
Date: 5 September 2018, 12:29:12
Hi,
I'm using ipfw firewall on several machines. Rules are made by users by
hand or by configuration management tools.
For this the ipfw.rules script sources other files:
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
pif="epair0b" # interface name of NIC attached to Internet
$cmd 00010 allow all from any to any via lo0
for RULES in `ls /etc/ipfw.rules.d/*.rules` ; do
. $RULES
done
$cmd 09999 deny log all from any to any
If a user or a script alters a file, `service ipfw restart` is called.
This is working fine except one thing. Active connections like sql,
syslog, ssh, etc. get broken. They are defined like
$cmd 01610 allow tcp from vpn.example.org to me 22 in via $pif setup limit src-addr 50
I understand, that this connections get broken because the dynamic
rules get flushed with the `ipfw -q -f flush` command. But commenting
this command out results in a continuously growing rules table.
With the `ipfw -d list` command I can see the dynamic rules.
Is there a way to flush the rules but not the dynamic ones?
Or to add them again after flush?
How do you reload your rules?
Thanks for help
Ole
More information about the freebsd-ipfw
mailing list